Legislation Would Stiffen Penalties for Ransomware Attacks

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.

The legislation, which would enforce tougher penalties for those convicted of ransomware crimes, was spurred by attacks like those on the University of Maryland Medical System in 2018 and on the Salisbury Police Department in January.

Hospitals and health care centers remain one of the most vulnerable industries to ransomware attacks, which could lead to disruptions of critical information systems, loss of data and even patient fatalities.

Maryland Senate bill 151, cross-filed with House bill 211, would define ransomware attacks that result in a loss greater than $1,000 as a felony, subject to a fine of up to $100,000 and a maximum sentence of 10 years in prison.

Under current Maryland laws, a ransomware attack that extorts a loss less than $10,000 is considered a misdemeanor, while a breach that results in a loss greater than $10,000 is a felony.

Ransomware is a specific malware software that allows hackers to seize control of and access to computers and the data stored within those devices.

The attackers then refuse to release control of the devices and information until a ransom is paid.

Unpaid demands can create further problems for the victims: The ransom can increase or the hackers can permanently delete the data, according to a state analysis.

“Even when (victims) do pay the ransom there is not necessarily a guarantee that they will receive the data back,” Markus Rauschecker, the cybersecurity program manager for the University of Maryland Center for Health and Homeland Security, said during a bill hearing Jan. 31.

The bill will also introduce a new criminal offense, which prohibits violators from simply possessing ransomware with the intent to use it, with an exception for researchers, according to a state analysis.

The new legislation would authorize courts to award damages and cover attorney fees and costs for the victims of an attack, according to a state analysis.

Ransomware attacks on hospitals are a continuing problem across the country and often create major problems for the facilities, including loss of lives, misdiagnoses and other technological disadvantages for doctors and patients, Lee told Capital News Service.

In 2018, the University of Maryland Medical System’s information technology infrastructure was victim to an attempted malware infiltration.

The medical system was able to subdue the attack by implementing backup servers to ensure patient care was uninterrupted, according to a press statement.

“The most frightening part about (ransomware attacks) is that hospitals and health care sectors are especially vulnerable,” Rauschecker said. “This can ultimately mean deaths in hospitals.”

Attacks can have serious consequences due to a lack of access to electronic data or medical devices available to doctors and staff during a breach, Rauschecker said.

A 2017 Vanderbilt University research paper estimated that more than 2,000 deaths per year could be attributed to ransomware attacks on hospitals.

In 2016, Maryland’s MedStar Health system was subject to a ransomware attack that also targeted government agencies, cities and businesses around the nation. The hackers were able to get around $6 million and caused their victims to lose more than $30 million, according to a state analysis.

Rauschecker said that ransomware attacks are one of the “fast growing” areas within cyber crime.

SonicWall, a cyber-crime security company, reported about 181.5 million ransomware

attacks in the first six months of 2018 — more than doubled over the same time period in 2017, but a marked decrease from the rate of attacks in 2016.

“This bill passing will be the start of raising the concern of (ransomware attacks) and how big this problem is,” Maryland State’s Attorneys’ coordinator Steve Kroll said during the bill hearing.

In January, the Salisbury Police Department suffered a ransomware attack that affected their computer systems, including email and network servers, as well as its record management systems, Capt. Rich Kaiser said.

Kaiser emphasized that while the department had no access to data during the attack, there is no evidence of police department data being stolen due to an “intricate file backup system.”

Kevin Kornegay, a professor in the school of electrical and computer engineering at Morgan State University, theorizes that while cyber breaches are targeting big corporations, ransomware attacks remain a “massive threat to small (and) mid-sized businesses,” which in many instances often go unreported.

This is because ransomware attacks have commonly been found in “phishing emails” and websites with clickbait — often the attacks are minor — and small businesses tend not to report them, according to Kornegay.